Contact Us
Help Center Home > Conditional Access Policies > Troubleshoot: JumpCloud Conditional Access Policy Issues (Chrome DTC)

Troubleshoot: JumpCloud Conditional Access Policy Issues (Chrome DTC)

Here are a few things that you can check to quickly troubleshoot and resolve issues with your JumpCloud Chrome Conditional Access Policies (CAP) and the Chrome Device Trust Connector (DTC).

Verify Connector Deployment

  • Go to Google Admin Console and then, click Devices > Chrome > Connectors.
    • Ensure the JumpCloud Device Trust Connector is configured and
      • Assigned to the correct Organizational Units (OUs).
      • Applied for both browsers and profiles, or only to Browser, or Profile (This will enforce the action premise during access from CAP).

Note:

If the connector isn’t deployed or not mapped to the correct OUs, Conditional Access Policies cannot evaluate device trust. Thus enforcement will not work.

Validate the Enrollment Domain

  • Go to Google Admin Console and then, click Account > Domains > Manage Domains.
  • Confirm the domain listed matches the domain used in user email addresses (e.g., @yourdomain.com).

Note:

A mismatch or unverified domain can prevent mapping Chrome sessions to JumpCloud users.

Review Default Access Policy Configuration 

  • If Default Access Policy (Under Conditional Access Policy settings) is set to Allow Authentication, you must create a new conditional access policy with Denied action.
  • If Default Access Policy (Under Conditional Access Policy settings) is set to Deny Access, you must create a new conditional access policy with Allowed action.

Tip:

The conditional access policy logic must align with the default access policy. This is a common point of failure.

Verifying the Device Trust Connector Configuration

Prerequisites:

Make sure that the managed device is enrolled and listed in the Google Admin console in an organizational unit where you configured the connector.

Verifying Application of Policies

To verify that policies are applied on a managed device:

  1. Open the Chrome browser on your device.
  2. Within a Chrome tab, type chrome://policy and press Enter.
  3. Click Reload policies.
  4. On Windows and macOS devices:
    • For BrowserContextAwareAccessSignalsAllowlist, make sure that Status is set to OK.
    • For BrowserContextAwareAccessSignalsAllowlist, click Show value and make sure that the value field is the same as what you set for URL patterns to allow, one per line.
  5. On ChromeOS devices:
    • For DeviceLoginScreenContextAwareAccessSignalsAllowlist, make sure that Status is set to OK.
    • For DeviceLoginScreenContextAwareAccessSignalsAllowlist, click Show value and make sure that the value field is the same as what you set for URL patterns to allow, one per line.

To verify that policies are applied on a managed profile:

  1. Open the Chrome browser on your device.
  2. Within a Chrome tab, type chrome://policy and press Enter.
  3. Click Reload policies.
  4. On Windows and macOS devices:
    • For UserContextAwareAccessSignalsAllowlist, make sure that Status is set to OK.
    • For UserContextAwareAccessSignalsAllowlist, click Show value and make sure that the value field is the same as what you set for URL patterns to allow, one per line.

Checking the State of the Device Trust Connector

Managed Chrome Browser is reflected as deviceEnrollmentDomain and Managed Chrome Profile as userEnrollmentDomain. Please check chrome://connectors-internals as shown below and check whether the enrollment domain configured in JumpCloud conditional access policy is reflected as per the set conditions. 

To check the state of the device trust connector on a managed browser or device:

  1. Open the Chrome browser on your device.
  2. Within a Chrome tab, type chrome://connectors-internals and press Enter.
  3. Check for these required values:
    • Is Enabled: true
    • DTC Enabled Levels: Browser
    • Key Manager Initialized: true
    • Key Sync: Success (200)
    • Can Collect Signals: true
    • "deviceEnrollmentDomain": <YOUR_COMPANY_ENROLMENT_DOMAIN> (as configured in CAP)
    • "userEnrollmentDomain": <YOUR_COMPANY_ENROLMENT_DOMAIN> (as configured in CAP)

On a managed profile:

 If you are using the Managed Chrome Profile condition with an enrollment domain in JumpCloud Conditional Access Policy, check that it is available in chrome://connectors-internals by following these steps:

  1. Open the Chrome browser on your device.
  2. Within a Chrome tab, type chrome://connectors-internals and press Enter.
  3. Check for these required values:
    • Is Enabled: true
    • DTC Enabled Levels: User
    • Key Manager Initialized: false
    • Consent Was Received: true
    • Can Collect Signals: true
    • "userEnrollmentDomain": <YOUR_COMPANY_ENROLMENT_DOMAIN> (as configured in CAP)

The connector can only provide device identity attestation if the key synchronization was successful.

Note:

If there is no value next to Key Manager Initialized, refresh the page until a value appears. If Is Enabled: true, it shouldn't take more than a minute.

See Google’s documentation for Manage Chrome Enterprise device trust connectors - Chrome Enterprise and Education Help to learn more.

Restart Chrome Browser

  • Sometimes if users are already on a Chrome browser session, it may need a restart. Ask users to fully restart Chrome after:
    • Configuring the DTC and enforcing JumpCloud CAP

Tip:

Without restarting Chrome, device trust signals may not be sent, causing conditional access policies to behave incorrectly.

Check Conditional Access Logs

  • Go to JumpCloud Admin Portal > Insights > Directory Insights.
  • Review the following:
    • Which policy was evaluated
    • What conditions matched or failed
    • What action was enforced (Allow / Deny / MFA)

Additional Final Checks

  • Confirm user/group assignment to CAP.

Make sure the conditional access policy is active.

Back to Top

Notebook IconLearn More

Configure Google Chrome Enterprise Device Trust with JumpCloud

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case